[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ISP signatures on outgoing mail




At 06:14 PM 7/3/97 +0200, Anonymous wrote:
>Anyone heard of a proposal for ISPs to automatically sign outgoing
>mail headers?  Problem has been that spammers send email by one
>path but forge a reply-to or from address at another location.  

Flat-out can't work.  The problem is that you can send
SMTP directly from your machine to its destination,
so the ISP only routes the IP packets and doesn't read them.
It's popular for mail clients like Eudora and Netscape to
send all their mail to an SMTP forwarder, but the main
reasons to do that are to move the complicated work
to a machine that's on line all the time and smart enough
to deal with problems like retrying mail to systems that
don't answer, generating meaningful error messages when
the destination can't accept the mail, forwarding to
systems off in uucp-space, etc.  So it's perfectly
reasonable for mail from [email protected] to originate
on Joe's PC, with no way for AOL to sign it.
There's also the problem of misconfigured Win95 machines,
where either the operating system or the operator
aren't bright enough to send the correct machine name.
For instance, this mail comes from ca07b8bl.bns.att.com,
as any system that records the HELO messages will tell you,
because when my laptop is at work, that's it's name on the LAN.
Netcom's SMTP forwarder only identifies it by IP and DNS
pax-ca8-10.ix.netcom.com(204.30.66.74) address of the
dialup port it connected to, though other servers I've
used have also passed along, or at least recorded, the ca07b8bl.

Digital signatures take a lot of calculation,
and while CPUs keep getting cheaper, mail volume keeps getting larger.
It's difficult to make server-based signing scale well, especially for the
bigger ISPs.  Netcom's farm of mail servers is large and slow enough already.
You could try to force the user to sign the mail, 
using a signature certified by the ISP, and only forward email 
that's from or to your subscribers - but checking signatures still
requires about as much calculation, and the cheaper approach of 
looking at the signature key without really checking the signature
is easily forged.

#			Thanks;  Bill
# Bill Stewart, +1-415-442-2215 [email protected]
# You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp
#   (If this is a mailing list or news, please Cc: me on replies.  Thanks.)